Cryptography Lecture 24

Special topics? It looks like we will have 1-2 lectures devoted to “special topics” Will not be on final exam Schedule on webpage has some candidate topics Feel free to email me suggestions for topics

Dlog-based PKE

Diffie-Hellman key exchange G, q, g, h1 h2 (G, q, g)  G(1n) x  ℤq h1 = gx y  ℤq h2 = gy c2 = k · m k = (h1)y k = (h2)x m = c2 · k-1

El Gamal encryption Public key G, q, g, h1 h2, h1y · m h2 (G, q, g)  G(1n) x  ℤq h1 = gx y  ℤq h2 = gy c2 = k · m k = (h1)y k = (h2)x m = c2 · k-1

El Gamal encryption Gen(1n) Run G(1n) to obtain G, q, g. Choose uniform xℤq. The public key is (G, q, g, gx) and the private key is x Encpk(m), where pk = (G, q, g, h) and m  G Choose uniform y  ℤq. The ciphertext is gy, hy·m Decsk(c1, c2), where sk = x Output c2/c1x = c2  c1-x

Security? If the DDH assumption is hard for G, then the El Gamal encryption scheme is CPA-secure Follows from security of Diffie-Hellman key exchange, or can be proved directly Note that the discrete-logarithm assumption alone is not enough here  Secure for encryption of multiple messages (using the same public key)! Note that sender(s) must use fresh randomness for each encryption

El Gamal in practice Parameters G, q, g are standardized and shared Need to encode message as a group element In some groups, there are natural ways to do this In other cases, not as easy Will see later a better way of resolving this issue

Chosen-ciphertext attacks? El Gamal encryption is not secure against chosen-ciphertext attacks Follows from the fact that it is malleable Given ciphertext (c1, c2), transform it to obtain the ciphertext (c1, c’2) = (c1,  · c2) for arbitrary  Since (c1, c2) = (gy, hy · m), we have (c1, c’2) = (gy, hy · (m)) I.e., encryption of m becomes an encryption of m!

Attack! (Assume 2  G  ℤ*p) G, q, g, h c1, c2 c1, 2 ·c2 First bid: m Second bid: 2m

Hybrid encryption and KEMs

Encrypting long messages Public-key encryption schemes “natively” defined for short messages E.g., El Gamal encryption How can longer messages be encrypted?

Encrypting long messages Can always encrypt block-by-block I.e., to encrypt M = m1, m2, …, ml, do: Encpk(m1), …, Encpk(ml) If the underlying scheme is CPA-secure (for short messages), then this is CPA-secure (for arbitrary length messages) Why?

Note (Public-key) encryption is NOT a block cipher Fk is deterministic, one-to-one, and looks random Encpk is randomized (if it is CPA-secure), thus not one-to-one, and may not look random CTR-mode/CBC-mode don’t make sense for public-key encryption CTR-mode is completely insecure... “ECB mode” is secure for public-key encryption Because underlying scheme is randomized

Encrypting long messages Encrypting block-by-block is inefficient Ciphertext expansion in each block Public-key encryption is “expensive” Can we do better?

Hybrid encryption Main idea Benefits Use public-key encryption to establish a (shared, secret) key k Use k to encrypt the message with a symmetric-key encryption scheme Benefits Lower ciphertext expansion Amortized efficiency of symmetric-key encryption

Hybrid encryption Decryption done in the obvious way Enc’ m ciphertext “encapsulated key” Enc k pk The functionality of public-key encryption at the (asymptotic) efficiency of private-key encryption!

Formally Let  be a public-key scheme, and let ’ be a symmetric-key scheme Define hy as follows: Genhy = Gen (i.e., same as ) Enchy(pk, m): Choose k  {0,1}n c  Encpk(k) c’  Enc’k(m) Output c, c’ Decryption done in the natural way…

Security of hybrid encryption If  is a CPA-secure public-key scheme, and ’ is a CPA-secure private-key scheme, then hy is a CPA-secure public-key scheme Suffices for ’ to be EAV-secure If  is a CCA-secure public-key scheme, and ’ is a CCA-secure private-key scheme, then hy is a CCA-secure public-key scheme

Application to El Gamal? To use hybrid encryption with El Gamal, would need to encode key k as a group element Can we avoid this? The sender doesn’t care about encrypting a specific key, it just needs to send a random key Idea: encrypt a random group element K; define the key as k = H(K)

KEMs For hybrid encryption, something weaker than public-key encryption suffices Sufficient to have a “key encapsulation mechanism” (KEM) that takes a public key and outputs a ciphertext c and a key k Correctness: k can be recovered from c given sk Security: k is indistinguishable from uniform given pk and c; can define CPA-/CCA-security Can still combine with symmetric-key encryption as before!

KEM/DEM paradigm Hybrid encryption KEM/DEM

Security of KEM/DEM If  is a CPA-secure KEM, and ’ is a CPA-secure private-key scheme, then combination is a CPA-secure public-key scheme Suffices for ’ to be EAV-secure If  is a CCA-secure KEM, and ’ is a CCA-secure private-key scheme, then combination is a CCA-secure public-key scheme

KEMs vs. PKE schemes For short messages, direct encryption using a PKE scheme (with no hybrid encryption) can sometimes be the best choice For anything longer, KEM/DEM or hybrid encryption will be more efficient This is how things are done in practice (unless very short messages are being encrypted)

KEM based on El Gamal Gen(1n) Ecapspk, where pk = (G, q, g, h) Run G(1n) to obtain G, q, g. Choose uniform xℤq. The public key is (G, q, g, gx) and the private key is x Ecapspk, where pk = (G, q, g, h) Choose uniform y  ℤq. The ciphertext is gy, and the key is k = H(hy) Decapssk(c), where sk = x Output k = H(cx)

Security? If the DDH assumption holds, and H is modeled as a random oracle, then this KEM is CPA-secure

Complete scheme Combine the KEM with private-key encryption I.e., encryption of message m is gy, Enc’k(m), where k = H(hy) and Enc’ is a symmetric-key encryption scheme If Enc’ is CPA-secure and H is modeled as a random oracle, this is a CPA-secure public-key encryption scheme

Chosen-ciphertext security Under stronger assumptions, this approach can be proven to give CCA security If Enc’ is a CCA-secure symmetric-key scheme Can at least see why the previous attack no longer works Standardized as DHIES/ECIES